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ABSTRACT 

Technical  Report 


Petri  nets  are  directed  graphs  which  were  designed  to  model  discrete  event  systems 
with  concurrence  and  resource  sharing.  This  makes  them  a  useful  method  of 
graphically  representing  command  and  control  systems.  In  this  document  Petri  nets 
and  some  of  their  extensions  are  explained  in  detail.  Coloured  Petri  nets,  an 
extension  of  Petri  nets,  with  timed  transitions  are  used  to  model  a  command  and 
control  system. 
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PETRI  NETS  AND  THEIR  APPLICATION  TO  COMMAND 
AND  CONTROL  SYSTEMS 


Executive  Summary 


Systems  Simulation  and  Assessment  group  is  currently  developing  software  to  be  used  in  the 
modelling  of  command  and  control  systems.  This  software  will  be  used  for  analysis  of 
existing  and  possible  command  and  control  systems. 

This  document  introduces  the  concept  of  using  Petri  nets  as  a  tool  to  model  command  and 
control  systems.  The  document  first  introduces  Petri  nets,  concentrating  on  those  aspects 
that  are  relevant  for  the  modelling  and  analysis  of  command  and  control  systems.  This  is 
followed  by  a  study  of  a  particular  command  and  control  system  which  illustrates  the 
applicability  of  Petri  nets  as  a  tool  for  this  type  of  modelling. 

One  of  the  main  problems  with  using  Petri  nets  is  the  models  become  complex  when  used  to 
represent  large  systems.  This  has  been  overcome  by  extending  the  Petri  net  representation  to 
allow  more  complex  elements  to  be  represented  in  a  simpler  form.  This  extension  and  the 
ease  with  which  concurrence,  synchronisation,  and  resource  sharing  can  be  represented  by 
Petri  nets  makes  them  an  ideal  method  of  representing  command  and  control  systems. 

Systems  Simulation  and  Assessment  group  plan  to  apply  Petri  nets  two  ways.  In  the 
representation  of  nodes  in  an  interactive  simulation  and  as  a  method  of  analysing  complete 
command  and  control  systems.  As  part  of  these  aims  research  into  analysis  techniques  is 
being  conducted  as  well  as  the  development  of  Petri  net  simulation  tools. 
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1  INTRODUCTION 


The  aim  of  this  document  is  to  introduce  the  idea  of  using  Petri  nets  (PN)  in  the  modelling 
and  analysing  of  command  and  control  (C2)  systems.  The  work  reported  here  was  done 
under  task  ADF  93/237,  the  command,  control,  communications  and  intelligence  simulation 
task,  and  also  contributed  to  an  honours  thesis  in  applied  mathematics. 

The  modelling  of  C2  systems  is  a  rapidly  expanding  field,  mainly  motivated  by  the  U.S. 
Department  of  Defence  over  the  last  ten  to  fifteen  years.  In  this  time,  many  different 
methods  of  modelling  C2  have  been  developed: 

•  Time  line  models,  [10]  and  [22]. 

•  Dynamic  models,  in  which  various  methods  of  dynamic  analysis,  both  classical  and 
modem,  are  applied.  Methods  such  as  thermodynamics,  [21],  discrete  state  Markov 
processes,  [39-41],  statistical  mechanics,  [15-17],  chaos  theory,  [9],  [11],  and  [46-47],  and 
adaptive  control,  [42]. 

•  Conflict  and  combat  models  such  as  Lanchester  models,  stochastic  combat  models,  and 
game  theory.  These  models  have  been  used  in  the  past  to  model  combat  and  can  be 
further  adapted  to  include  C2  aspects,  [43]. 

•  PN,  which  model  the  data  flow  through  the  C2  system. 

Before  a  modelling  method  is  chosen  the  modeller  must  establish  what  type  of  model  is  most 
applicable  for  the  system  being  modelled.  The  U.S.  Joint  Chiefs  of  Staff  in  [1]  define  C2  as: 

"The  exercise  of  authority  and  direction  by  a  properly  designated 
commander  over  assigned  forces  in  the  accomplishment  of  his  mission. 
Command  and  control  functions  are  performed  through  an  arrangement  of 
personnel,  equipment,  communications,  facilities,  and  procedures  which 
are  employed  by  a  commander  in  planning,  directing,  coordinating  and 
controlling  forces  and  operations  in  the  accomplishment  of  his  mission." 

This  definition  illustrates  that  C2  systems  can  be  thought  of  as  complex  event  systems  which 
involve  concurrent  and  parallel  activities,  synchronisation  of  events  and  resource  sharing. 
This  makes  PN  ideally  suited  for  modelling  such  systems  as  I  will  demonstrate. 

The  PN  method  involves  the  definition  of  each  of  the  main  components  of  the  system  and 
modelling  the  information  flow  through  these  elements,  to  the  required  level  of  detail  for  the 
study  being  performed.  For  example,  this  may  mean  modelling  a  decision  maker  as  a  single 
process,  by  its  exact  definition,  or  by  a  generic  means  such  as  that  developed  by  Levis  in 
[24]. 

This  document  comprises  two  parts.  Section  2  introduces  the  theory  of  Petri  nets  (PN),  and 
sections  3  to  5  show  how  PN  can  be  applied  to  a  C2  system. 


2  PETRI  NETS 


PN  were  originally  developed  by  Carl  Petri  in  his  doctorial  thesis  in  1962  [35]  for  use  in  the 
modelling  of  computer  systems.  Since  their  development  PN  have  been  used  to  model  many 
different  systems  including  computer  circuits,  as  in  [34]  and  [36],  assembly  lines,  see  [28], 
flexible  manufacturing  systems,  [44]  and  more  recently  C2,  [5],  [6],  [20],  [23-26],  [31],  [37], 
and  [45].  In  this  section  the  basic  ideas  behind  PN  will  be  explained.  Some  of  the  properties 
of  PN  are  outlined,  other  properties  may  be  found  in  references  [14],  [27],  [31],  [33-34],  [36], 
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and  [38].  The  use  of  reachability  trees,  the  PN  matrix  representation,  and  the  conversion  of 
PN  into  Continuous  Time  Markov  Chains  (CTMC)  are  explained  as  methods  for  analysing 
PN.  It  should  be  noted  there  are  other  methods  of  analysis,  such  as  those  presented  in  [12] 
and  [38],  Finally,  some  extensions  to  PN  are  introduced.  These  include  coloured  tokens  and 
some  variations  to  arcs. 

2.1  Ordinary  Petri  nets 

A  PN  is  a  directed  graph  with  two  types  of  nodes:  places  and  transitions.  Pictorially, 
places  are  indicated  by  circles  and  represent  entities  such  as  conditions  and  buffers. 
Transitions  are  displayed  on  the  graph  as  bars  and  represent  concepts  in  the  real 
system  such  as  processors,  algorithms,  and  events.  The  nodes  are  joined  by  one  of  two 
types  of  directed  arcs:  input  arcs  and  output  arcs.  An  input  arc  goes  from  a  place  to  a 
transition.  The  set  of  places  with  input  arcs  going  to  a  given  transition  are  called  the 
transition's  input  places.  An  output  arc  runs  from  a  transition  to  a  place.  The  set  of 
places  with  output  arcs  coming  from  a  particular  transition  are  called  the  transition's 
output  places.  It  should  be  noted  that  arcs  can  only  go  from  a  place  to  a  transition  or 
visa  versa.  Tokens  make  up  the  final  element  in  a  PN.  Tokens  are  represented 
graphically  by  identical  dots  and  can  only  be  found  in  places.  The  movement  of 
tokens  between  places  is  controlled  by  the  transitions  of  the  PN.  In  a  model,  the 
position  of  the  tokens  defines  the  state  of  the  system,  defining  situations,  such  as 
availability  of  resources,  satisfied  conditions  and  items  in  a  buffer.  Each  place  is 
mapped  to  the  number  of  tokens  in  it  by  a  function,  defined  as  the  marking.  A 
transition  is  said  to  be  enabled  if  and  only  if  all  of  its  input  places  contains  at  least  one 
token  for  each  input  arc  going  from  the  place  to  the  transition.  When  an  enabled 
transition  is  activated,  changing  marking,  it  is  said  to  fire.  Upon  firing,  the  transition 
removes  a  token  from  each  input  place  and  deposits  one  in  each  of  its  output  places. 

A  PN  with  n  places  and  m  transitions  can  be  represented  by  the  5-tuple 

PN  =  {P,  T,  I,  O,  M0) 

where  •  P  =  [PI,  P2,  ...,  Pn]  is  the  set  of  places; 

•  T  =  [tl,  t2,  ...,  tm]  is  the  set  of  transitions; 

•  I  is  the  mapping  of  P  x  T  ->  Z*  such  that  if  there  exists  k  input  arcs 
connecting  Pi  to  tj  then  I(Pi,  tj)  =  k; 

•  O  is  the  mapping  of  T  x  P  — >  Z*  where  if  there  exists  k  output  arcs 
connecting  tj  to  Pi  then  0(tj,  Pi)  =  k;  and 

•  M0  is  the  initial  marking  of  the  PN,  that  is  the  initial  distribution  of 
tokens  in  the  PN. 

Consider  the  simple  example  of  the  PN  shown  in  Figure  1.  In  this  PN: 

P  =  [PI,  P2,  P3,  P4,  P5], 

T  =  [tl,  t2,  t3,  t4], 

I(P1,  tl)  =  1  I(P3,  t2)  =  1  I(P2,  t3)  =  1  I(P4,  t3)  =  1  I(P5,  t4)  =  1 

0(t4,  PI)  =  1  0(tl,  P2)  =  1  0(tl,  P3)  =  1  0(t2,  P4)  =  1  0(t4,  P4)  =  1 
0(t3,  P5)  =  1 

M0(P1)  =  1  M0(P2)  =  0  M0(P3)  =  0  Mo(P4)  =  0  M0(P5)  =  0 

where  only  the  non-zero  values  of  the  input  and  output  mappings  have  been  given. 
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Figure  1:  Example  Petri  net 

Initially,  transition  tl  is  enabled  and,  after  it  fires,  the  marking  becomes: 

M^Pl)  =  0  MX(P2)  =  1  Mj(P3)  =  1  MX(P4)  =  0  Mj(P5)  =  0 

Thus  the  firing  of  tl  removes  a  token  from  PI,  and  places  a  token  one  in  both  P2  and 
P3.  Now  transition  t2  is  enabled  to  fire.  Marking  M0  is  shown  in  Figure  1. 

The  order  in  which  transitions  of  a  PN  fire  is  called  a  firing  sequence.  A  PN  may  have 
a  number  of  different  firing  sequences  for  a  given  marking,  this  occurs  if  more  than 
one  transition  is  enabled  during  the  firing  sequence.  Consider  the  PN  shown  in 
Figure  2,  with  the  initial  marking 

M0(P1)  =  1,  M0(P2)  =  0,  M0(P3)  =  0. 


Figure  2:  Example  Petri  net 


Some  possible  firing  sequences  for  this  PN  are: 

•  {tl,  t2,  tl,  t2,  tl,  t2,  tl,  t2,  ...} 

•  {tl,  t3,  tl,  t3,  tl,  t3,  tl,  t3,  ...} 

•  {tl,  t2,  tl,  t3,  tl,  t2,  tl,  t3,  ...} 

There  are  infinitely  many  firing  sequences  for  this  PN  with  the  initial  marking  defined 
above. 
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2.2  Matrix  representation  of  a  Petri  net 

The  structure  of  a  PN  with  n  places  and  m  transitions  can  be  represented  by  an  n  x  m 
matrix  C,  called  its  incidence  matrix.  The  rows  in  the  incidence  matrix  correspond  to 
places  and  the  columns  to  transitions,  where 

C„  =  0(tj,  Pi)  -  I(Pi,  tj). 

The  incidence  matrix  for  the  PN  in  Figure  1  is. 


C  = 


-1 
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1 

0 
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0 

0 

-1 

1 
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0 

-1 

0 

-1 

1 


1 

0 

0 

1 

-1 
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The  PN  marking  can  be  represented  by  a  vector  of  size  n  called  the  marking  vector, 
were  the  ith  element  of  the  vector  M  is  given  by  M(Pi).  Hence  if  there  are  /  tokens  in 
the  ith  place  then  the  ith  element  of  M  will  take  the  value  l.  This  means  that  the 
marking  vector  for  the  initial  marking  shown  in  Figure  1  is, 

M0  =  [1  0  0  0  0]f. 

If  it  is  known  which  transition  will  fire,  the  resulting  marking  can  be  calculated  using, 

M  =  M0  +  CF 

where  F  is  the  firing  vector,  of  length  m,  such  that  F,  =  1  if  the  jth  transition  fires, 
otherwise  it  is  zero.  In  the  example  shown  in  Figure  1,  transition  1  is  enabled  by  the 
initial  marking  given  above,  so: 
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0  0 

1  ■ 

o' 

1 

0 

1 

0  -1 
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+ 
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1 

1— ‘ 
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1 
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0 

1  -1 

1 

0 

0 

0 

0 

0  1 

-1 

0 

This  marking  vector  represents  one  token  in  place  P2  and  one  in  place  P3.  In  fact  any 
given  firing  sequence  can  be  represented  by  the  firing  vector  F,  where  F;  is  the  number 
of  times  the  transition  i  fires  in  the  sequence.  The  marking  which  results  from  this 
sequence  of  firings  can  now  be  determined  from  the  initial  marking,  incidence  matrix, 
and  firing  vector.  For  example,  in  the  PN  in  Figure  1,  with  the  initial  marking  given 
above,  we  can  have  the  firing  sequence  {tl,  t2,  t3,  t4,  tl}  which  is  represented  by  the 
firing  vector 

F  =  [2  1  1  1]'. 

The  resulting  marking  can  be  calculated  as  follows 
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M  =  M0  +  CF 
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2.3  Some  Petri  net  properties 

There  are  many  different  properties  defined  for  PN.  This  section  will  briefly  outline  a 
few.  Other  properties  can  be  found  in  references  [12],  [27],  [32-34],  [36],  and  [38]. 

(a)  Conflict :  A  conflict  is  said  to  occur  between  transitions  for  a  given  marking,  if 

more  than  one  transition  is  enabled  at  the  same  time  and  the  firing  of  any  one  of 
these  transitions  will  disable  the  remaining  enabled  transitions.  Figure  2  shows 
a  PN  in  which  a  conflict  occurs  between  transitions  t2  and  t3  when  tire  marking 

M  =  [0  1  1]‘ 

occurs.  When  a  conflict  occurs  in  a  PN,  the  transition  which  fires  is  determined 
by  the  firing  rules  discussed  in  section  2.5.  This  is  an  important  property,  as  it 
indicates  how  the  sharing  of  resources  effects  the  system  performance.  In  some 
literature  conflict  is  referred  to  as  confusion. 


(c)  Deadlock:  When  deadlock  occurs  in  a  PN  none  of  the  transitions  can  fire,  halting 
the  execution  of  the  PN.  An  example  of  deadlock  is  the  PN  in  Figure  2  with  the 
marking 

M  =  [0  1  0]'. 

A  PN  which  is  deadlock  free  for  a  given  initial  marking  is  known  as  live  for  that 
marking.  For  example  the  PN  in  Figure  2  is  live  for  the  marking 

M  =  [1  0  0]' 

(d)  Reachability:  A  marking  Mi+j  is  said  to  be  immediately  reachable  from  a  marking  Mi7 
if  there  exists  a  transition  enabled  by  M;,  which  on  firing  will  give  the  marking 
Mi+1.  For  example,  in  the  PN  shown  in  Figure  2  the  marking 

Mj  =  [0  1  1]‘ 

is  immediately  reachable  from  the  initial  marking, 

M0  =  [10  0]‘. 

The  marking  Mi+n  is  said  to  be  reachable  from  M,  if  there  exists  a  firing  sequence 
[ti,  tj,  tk,  ...}  such  that  after  the  firing  of  all  these  transitions,  the  resulting 
marking  is  Mi+n. 

(e)  Boundedness:  A  place  of  a  PN  is  called  l-bounded  if  the  number  of  tokens  in  the 
place  never  exceeds  Z.  For  the  PN  in  Figure  1,  with  the  initial  marking  shown  in 
the  illustration,  places  PI,  P2,  P3,  and  P5  are  one-bounded,  however  P4  is 
unbounded.  A  PN  in  which  all  the  places  are  bounded  is  called  a  bounded  PN. 
The  PN  in  Figure  2  is  a  bounded  PN.  The  boundedness  of  places  in  a  PN 
indicates  the  maximum  number  of  tokens  which  can  appear  in  a  place.  This 
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may  correspond  to  the  maximum  length  of  a  queue.  Hence  unbounded  places 
are  potential  bottle  necks.  In  the  special  case  of  the  PN  in  Figure  2,  all  the 
places  are  one-bounded.  Such  a  PN  is  called  safe.  This  is  an  important  property 
in  the  modelling  of  computer  hardware,  as  it  indicates  that  the  state  of  each 
place  can  be  represented  by  a  one  or  a  zero. 


2.4  Timed  transitions 

In  section  2.1  it  was  stated  that  at  an  enabled  transition  can  fire  and  thus  change  the 
marking  of  the  PN  in  accordance  to  the  input  and  output  arcs.  The  transitions 
described  earlier  needed  only  to  be  enabled  to  fire.  This  is  no  longer  the  case  for  timed 
transitions.  Each  transition  now  takes  a  stochastically  determined  period  of  time,  x  say, 
before  it  can  change  the  PN  marking.  The  negative  exponential  distribution  is  usually 
used  to  determine  the  life  time  of  transition  j,  where  each  transition  can  have  a 
different  parameter,  x^.  This  is  done  for  simplicity,  as  it  allows  the  PN  to  be  converted 
to  a  CTMC,  see  section  2.7,  and  analysed  directly.  However,  any  probability 
distribution  can  be  used  to  define  the  time  taken  for  a  transition  to  fire.  Note,  in  this 
discussion  it  will  be  assumed  that  a  negative  exponential  distribution  is  used  to 
determine  the  firing  times,  but  the  ideas  presented  can  be  extended  in  most  cases  to 
include  any  type  of  probability  distribution.  In  a  modelling  context,  timed  transitions 
represent  the  time  taken  by  the  system  to  perform  a  given  task.  Recalling  what 
transitions  physically  represent,  it  is  also  convenient  to  have  transitions  which  fire  in 
zero  time.  These  are  called  immediate  transitions  and  fire  the  instant  they  are  enabled. 
These  changes  to  the  PN  definition  require  an  expansion  of  the  PN  representation  to 
the  6-tuple 


PN  =  {P,  T,  I,  O,  M0,  n\ 

where  P,  T,  I,  O,  M0  are  as  described  in  section  2.1  and  Q  is  one  of  two  things:  either 
an  average  firing  rate  of  the  transition  if  it  is  a  timed  transition,  or  a  weight  if  it  is  an 
immediate  transition.  Thus  Q.  has  two  purposes:  it  is  used  in  the  calculation  of  the 
time  x  and  it  determines  which  immediate  transition  will  fire,  if  more  than  one 
immediate  transition  is  enabled.  Note  that  for  some  distributions  Q  will  be  defined 
differently  to  allow  for  more  parameters. 

There  are  two  types  of  timed  transitions.  The  type  used  in  this  document,  which 
requires  the  transition  to  be  enabled  for  a  period  of  time  before  it  fires.  On  firing  the 
transition  changes  the  PN  marking  as  set  out  in  section  2.1.  In  some  literature  this 
type  of  time  delay  is  defined  as  an  enabling  time  (see  [29]).  In  the  other  method  the 
tokens  are  removed  from  the  input  places  immediately  a  transition  is  enabled  and  the 
output  tokens  are  not  placed  in  the  output  places  until  the  specified  period  of  time  has 
passed  (see  [29]).  An  alternative  way  of  representing  this  second  method  is  to  use 
timed  places,  whereby  tokens  are  held  in  places  and  cannot  be  used  to  enable  a 
transition  until  they  have  been  in  the  place  for  a  given  period  of  time.  This  document 
will  consider  only  the  first  method  defined  above. 

2.5  Firing  rules  for  resolving  conflict 

If  conflict  occurs  then  a  number  of  strategies  can  be  applied,  see  [13].  For  the 
situations  considered  in  this  document  the  following  strategy  will  be  used: 

(a)  If  all  the  enabled  transitions  are  timed  transitions,  then  a  x  value  is  determined 
for  each  enabled  transition  and  the  transition  with  the  shortest  time  fires. 

(b)  If  all  the  enabled  transitions  are  immediate  transitions,  then  the  £1  values,  of 
each  of  these  transitions,  called  their  weights,  are  used  to  determine  which  one 
will  fire.  This  is  determined  in  the  following  manner: 
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•  Let  X  be  the  sum  of  the  weights  of  all  the  enabled  immediate  transitions. 

•  Transition  t  will  fire  with  a  probability  of  D(t)/X. 

Thus  the  transition  that  fires  is  determined  probabilistically  using  the  weights. 

(c)  If  a  combination  of  immediate  and  timed  transitions  are  enabled,  then  only  the 
immediate  transitions  are  considered  and  they  are  dealt  with  as  set  out  above  in 
(b). 

It  should  be  noted  that  a  marking  in  which  only  timed  transitions  are  enabled  is  called 
a  tangible  marking,  and  a  marking  with  immediate  transitions  enabled  is  called  a 
vanishing  marking.  The  distinction  between  these  two  types  of  markings  is  important  in 
the  conversion  of  a  PN  into  a  CTMC. 

2.6  Generating  a  reachability  tree 

A  reachability  tree  describes  the  possible  markings  of  a  PN.  The  root  of  the  tree  is  the 
initial  marking.  Below  this  marking,  each  of  the  possible  immediately  reachable 
markings  are  listed.  Directed  arcs  going  from  the  initial  marking  to  each  of  the 
immediately  reachable  markings  are  drawn  and  labelled  with  the  transition  required  to 
reach  the  specified  marking.  This  process  is  then  repeated  for  each  of  the  markings 
generated.  If  the  marking  to  be  generated  is  equivalent  to  one  which  appears  earlier  in 
the  tree,  then  the  generating  marking  is  connected  to  the  earlier  marking  by  an  arc 
labelled  with  the  appropriate  transition. 


Consider  the  PN  in  Figure  3  with  the  initial  marking 

M0  =  [1  0  0  0  0]‘. 


In  this  PN,  the  transition  t6  is  considered  to  be  an  immediate  transition,  whereas  the 
other  four  are  timed  transitions.  When  conflict  occurs  between  immediate  and  timed 
transitions,  the  firing  rules  set  out  in  section  2.5  must  be  observed.  That  is,  the 
immediate  transitions  will  always  fire  before  the  timed  ones,  so  the  markings  which 
correspond  to  the  timed  transitions  are  not  reachable  and  so  do  not  appear  in  the 
reachability  tree.  The  generation  of  the  reachability  graph  for  the  PN  in  Figure  3  is  as 
follows: 
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(a)  Step  1:  Transitions  tl,  t2  and  t3  are  the  only  enabled  transitions  for  initial 
marking,  so  the  immediately  reachable  markings  are 

Mj  =  [0  1  0  0  0]‘,  M2  =  [0  0  1  0  0]‘  and  M3  =  [0  0  0  1  0]f 

thus,  these  three  markings  are  listed  as  the  children  of  the  root.  The  appropriate 
label  is  then  placed  on  each  of  the  arcs  connecting  the  initial  markings  to  the 
new  marking.  The  tree  now  takes  the  form: 


Cl  0  0  G  0) 


CO  1  0  0  0)  CO  0  1  0  0)  CO  0  0  1  0) 


(b)  Step  2:  Now  each  of  the  immediately  reachable  markings  from  Mlr  M2  and  M3 
are  listed  in  the  tree,  these  are 

M4  =  [1  0  0  0  0]',  M5  =  [0  0  0  0  1]  and  M6  =  [10  10  0]1 

respectively.  Since  the  only  marking  reachable  from  Mj  is  M4  which  is 
equivalent  to  M0,  no  marking  is  listed  below  Mx.  Instead  another  arc  is  drawn 
between  M0  and  M4/  this  time  going  from  M4  to  M0  and  labelled  t5.  However, 
markings  Ms  and  M6  are  added  to  the  tree  on  the  next  level.  The  reachability 
tree  becomes: 


Cl  0  0  0  0) 


(c)  Step  3:  When  the  PN  has  the  marking  Ms  it  is  in  deadlock,  and  so  no  more 
markings  can  be  reached.  Thus,  this  branch  of  the  tree  has  reached  its  end. 
However,  the  marking 


M7  =  [1  0  0  0  1]' 

is  reachable  from  M6,  so  this  branch  continues.  It  should  be  noted  that 
transitions  tl,  t2  and  t3  are  enabled  when  the  PN  has  the  marking  Ms,  but  never 
fire,  as  they  are  timed  transitions,  whereas  t5,  which  is  also  enabled,  is  an 
immediate  transition.  Thus,  the  markings  produced  by  the  firing  of  the  time 
transitions  tl,  t2  or  t3  do  not  occur.  The  tree  is  now: 
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(1  0  0  0  1) 


This  process  continues  on  and  Figure  4  shows  the  resulting  tree  after  eight  steps.  It 
should  be  noted  that,  for  the  PN  specified,  this  process  can  continue  indefinitely.  This 
necessitates  the  definition  of  a  new  type  of  tree,  the  coverability  tree.  In  a  coverability 
tree,  any  set  of  markings  which  differ  only  by  the  number  of  tokens  found  in 
unbounded  places,  are  represented  by  one  marking.  A  w  is  placed  in  the  unbounded 
place/s  indicating  the  number  of  tokens  in  that  place  to  be  unbounded.  The  w 
corresponds  to  any  element  of  the  set  Zt.  This  is  best  illustrated  by  an  example. 
Figure  5  shows  the  coverability  tree  for  the  PN  shown  in  Figure  3.  The  coverability 
tree  is  designed  in  a  similar  way  as  the  reachability  tree,  for  more  details  see  [34], 


Figure  4:  Reachability  tree  for  the  Petri  net  in  Figure  3 
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(1  0  G  0  U) 


(0  0  0  0  1) 


(10  10  0) 


(1  0  0  0  w> 


(0  0  0  0  w) 


(1  0  1  0  w> 


t6 


Figure  5:  Coverability  tree  for  the  Petri  net  in  Figure  3 


By  constructing  a  reachability  or  coverability  tree,  the  set  of  reachable  markings  is 
easily  obtained.  A  reachability  tree  can  be  used  to  determine  safeness,  boundedness, 
conservation,  and  reachability  of  a  PN.  The  process  in  which  this  can  be  done  is 
outlined  in  [34], 


2.7  The  use  of  the  Petri  net  matrix  representation  in  analysis 

Linear  algebra  techniques  can  be  applied  to  the  matrix  representation  of  a  PN  to  solve 
the  problems  of  conservation,  reachability,  coverability,  boundedness,  and  deadlock. 
For  example,  consider  the  determination  of  whether  or  not  a  given  marking  is 
reachable  from  a  given  initial  marking,  for  a  defined  PN.  That  is,  C  (incidence  matrix), 
M0  (initial  marking)  and  M  (desired  marking)  are  given,  and  F  (the  firing  vector)  is 
unknown.  This  problem  can  be  solved  using  the  following  theorem,  adapted  from 
elementary  linear  algebra,  see  [30]. 


Consider  the  system  of  equations 

CF  =  M  -  M0  =  AM. 
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Then  only  one  of  the  following  must  hold: 

(a)  If  the  rank  of  the  augmented  matrix  [C  |AM]  is  greater  than  that  of  C,  then 
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there  is  no  solution  to  the  system  of  equations. 

(b)  If  the  rank  of  [C  |AM]  is  equal  to  the  rank  of  C  and  the  rank  of  C  equals  the 
number  of  unknowns,  then  there  is  a  unique  solution  to  the  system  of  equations. 

(c)  If  the  rank  of  [C  |AM]  is  equal  to  the  rank  of  C  and  the  rank  of  C  is  less  than 
number  of  unknowns,  then  there  exists  an  infinite  number  of  solutions  to  the 
system  of  equations. 

For  the  PN  shown  in  Figure  1,  with  M0  and  C  given  in  section  2.2  it  can  be  determined 
whether  or  not  the  markings 

=  [0111  0]'  and  M2  =  [0  0  0  0  0]‘ 
are  reachable.  The  rank  of  C  is  4.  Taking  M!  first  we  get. 


AMj  =  Mj  -  M0  =  [-1  1  1  1  0]' 


[C|AMJ  = 


'-1 

0 

0 

1 

-l" 

1 

0 

-1  0 

1 

1 

-1 

0 

0 

1 

0 

1 

-1 

1 

1 

1 - 

O 

0 

1 

-1 

- 1 

o 

which  also  has  a  rank  of  4.  Thus  the  marking  is  reachable  from  the  initial  marking 
M0  via  a  unique  firing  vector  F.  This  firing  vector  is 

F  =  [2  11  1]‘. 

It  should  be  noted  that,  although  in  this  case  F  represents  the  firing  sequence,  {tl,  t2, 
t3,  t4,  tl),  it  is  not  always  possible  to  construct  such  a  sequence  from  a  derived  firing 
vector,  making  it  impossible  to  reach  the  desired  marking  although  algebraically  it 
appears  to  be  possible.  This  is  explained  more  thoroughly  later  in  this  section. 
Consider  now  M2  where 


am2  = 

m2 

-  M 

0 

[-1 

0  0 

'-1 

0 

0 

1 

-l" 

1 

0 

-1 

0 

0 

[C|AM2]  = 

1 

-1 

0 

0 

0 

0 

1 

-1 

1 

0 

0 

0 

1 

-1 

0 

This  augmented  matrix  has  a  rank  of  5,  which  is  larger  than  the  rank  of  C,  thus  the 
marking  M2  is  not  reachable  from  Mg. 

It  should  be  noted  that  although  matrix  analysis  gives  the  firing  vector  required  to 
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reach  the  desired  marking,  the  firing  sequence  represented  by  the  vector  may  be 
impossible.  Consider  the  marking 

M  =  [10  10  0]*. 

The  above  analysis  gives  the  firing  vector 

F  =  [10  1  1]* 

which  corresponds  to  a  firing  sequence  involving  transitions  tl,  t3,  and  t4.  However, 
t3  is  only  enabled  when  there  is  a  token  in  both  places  P2  and  P4.  This  means  t2  must 
fire,  but  t2  is  not  described  as  firing  by  F.  Thus,  there  exists  no  possible  firing 
sequence  corresponding  to  F.  This  downfall  in  matrix  analysis  results  from  the  fact 
that  firing  vectors  do  not  represent  in  any  way  the  order  in  which  transitions  fire. 
Thus  with  this  type  of  analysis,  it  is  important  to  make  sure  the  results  make  sense  not 
only  mathematically,  but  also  within  the  PN  definition. 

2.8  Converting  a  Petri  net  into  a  continuous  time  Markov  chain 

In  [14]  there  is  a  short  algorithm  which  allows  a  PN  to  be  converted  into  a  CTMC. 
Defining  NM  as  the  set  of  new  markings,  RS  as  the  reachability  set,  E(m)  as  the  set  of 
transitions  which  can  fire  when  the  PN  has  the  marking  m  (it  should  be  noted  that  if 
an  immediate  transition  is  enabled,  then  any  enabled  timed  transitions  are  considered 
not  to  be  enabled),  Q  is  the  probability  of  moving  between  states  and  P  the  initial  state 
of  the  CTMC.  The  algorithm  for  converting  the  PN  defined  by  S  into  the  CTMC 
defined  by  RS,  Q  and  P(0)  is: 

•  input :  S  =  (P,  T,  I,  O,  M0,  Q.) 

NM  :=  [M0};  RS  :=  {M0} 

•  While  NM  *  {0}  do 

•  let  m  e  NM 

•  NM  :=  NM  -  [m] 

•  For  all  t  e  E(m)  do 

•  let  m'  be  the  marking  obtained  after  the  firing  of  t  in  m 

•  store  Q(m,  m',  fl(t,  m)) 

•  if  m'  g  RS  Then  NM  =  NM  u  [m'} 

RS  =  RS  u  [m'} 

•  P(0)  =  (100  ...  0) 

This  algorithm  constructs  the  sets  RS,  Q,  and  P(0).  RS  contains  the  states  of  the  CTMC, 
Q  the  probability  of  moving  from  one  state  to  the  next,  and  P(0)  the  initial  probability 
vector  of  the  chain.  It  should  be  noted  that  only  PN  with  a  finite  number  of  reachable 
markings  can  be  converted  into  a  CTMC  with  this  algorithm.  The  generator  matrix  is 
constructed  in  such  a  way  that  the  vanishing  markings  are  listed  first,  and  then  the 
tangible  markings.  From  here  the  CTMC  can  be  analysed  to  get  information  about  the 
PN.  For  more  information  about  this  type  of  analysis  see  [14]. 

2.9  Coloured  Petri  nets 

In  many  modelling  situations  there  is  a  need  to  distinguish  between  different  elements 
in  the  system.  For  example  there  may  be  a  need  to  distinguish  between  different  types 
of  resources,  customers,  information,  etc.  This  is  easily  achieved  by  being  able  to 
differentiate  between  tokens,  that  is,  introduce  coloured  tokens  into  the  PN  model.  Each 
coloured  token  represents  a  different  physical  identity  in  the  system  being  modelled. 
This  allows  for  varying  firing  modes  of  transitions,  each  mode  depending  on  the  colours 
of  the  tokens  present  in  the  input  places.  These  firing  modes  can  also  have  different 
output  places  and  different  output  token  colours.  A  PN  with  these  properties  is  called 
a  coloured  Petri  net  (CPN)  and  is  defined  by  the  8-tuple 
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(C,  P,  T,  K,  O,  I,  O,  M,,,  12} 

where  •  C  is  the  set  of  coloured  tokens.  Each  token  may  be  a  complex  data 
structure  which  reflects  the  type  of  infromation  stored  at  the  places 
where  the  token  can  be  located; 

•  P  is  the  set  of  places; 

•  T  is  the  set  of  transitions; 

•  K  maps  each  place  into  the  set  of  possible  token  colours  that  can  be 
found  in  the  place.  Thus  V  p  e  p,  K(p)  c  C  defines  the  possible 
token  colours  of  place  p; 

•  $  maps  each  transition  into  the  set  of  possible  firing  modes.  That 
is,  V  t  e  T  <b(t)  contains  the  possible  firing  modes  of  transition  t; 

•  I(p,t)c,4,  is  a  mapping  of  c  x  <j>  -»  Zf,  where  c  e  K(p)  and  <}>  e  <X>(t), 
which  defines  the  input  arc  inscriptions; 

•  0(t,p)t(C  is  a  mapping  of  <b  x  c  -4  Z*,  where  c  e  K(p)  and  <}>  e  <h(t), 
which  defines  the  output  arc  inscriptions; 

•  M0  is  the  mapping  of  K(p)  -» Z',  which  describes  the  initial 
distribution  of  coloured  tokens  in  the  CPN.  Thus,  if  initially  l 
tokens  of  colour  i  are  present  in  place  p,  then  K(p)j  =  /;  and 

•  Q  defines  either  an  average  firing  rate  of  the  transitions  firing  mode 
if  it  is  a  timed  transition,  or  a  weight  if  it  is  an  immediate  transition. 

The  CPN  definition  given  above  is  an  extension  of  the  CPN  definition  given  in  [31] 

and  [18-19].  Consider  now  the  CPN  in  Figure  6. 

In  this  CPN: 

C  =  (a,  b,  c,  d,  e] 

P  =  [PI,  P2,  P3,  P4,  P5,  P6} 

T  =  [tl,  t2,  t3,  t4] 

K(P1)  =  K(P3)  =  [a],  K(P2)  =  K(P4)  =  [c,  b),  K(P5)  =  {d},  K(P6)  =  {e} 

O(tl)  =  {1},  0(t2)  =  {2,  3],  <E(t3)  =  {4},  4»(t4)  =  {5} 

I(Pl,tl)al  =  1,  I(P2,t2)b2  =  1, 1(P2,t2)c3  =  1,  I(P3,t3)a4  =  l,I(P4,t3)b4  =  1, 1(P4,t4)c5  =  1, 
I(P5,t5)dS  =  1 

0(tl,P3)al  =  1,  0(t2,P4)bz  =  1,  0(t2,P4)c3  =  1,  0(t3,P5)d4  =  1,  0(t4,P6)e5  =  1 

M0(P1).  =  1,  M0(P2)b  =  0,  M0(P2)C  =  1,  M0(P3)a  =  0,  M0(P4)b  -  1,  M0(P4)b  =  0, 
M0(P5)d  =  0,  M0(P6)e  =  0 
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P1 ) — > - M — >— — ( p3 


(7b) — — (V) 


« — — ( P6 


Figure  6:  Example  of  a  coloured  Petri  net 

CPN  have  similar  firing  rules  to  PN  only  now  the  colour  of  the  tokens  in  the  input 
places  must  be  considered.  Thus  firing  mode  F(tj)k  is  enabled  when  each  of  the  input 
places  of  transition  tj  have  the  correct  colours,  ie  for  all  Pi  e  P  and  h  e  C(Pi) 
I(Pi/tj)h  -  M(Pi)h.  If  this  is  true  then  the  transition  may  fire,  removing  the  specified 
tokens  from  each  input  place,  and  placing  the  relevant  coloured  tokens  in  the  output 
places. 

As  with  PN,  CPN  can  be  represented  by  matrix  notation.  The  CPN  with  n  places  and 
m  transitions  can  be  represented  by  the  n  x  m  block  matrix,  C,  again  referred  to  as  the 
incidence  matrix.  Note  that  the  above  notation  for  O  and  I  can  easily  be  converted 
into  matrix  form,  where  for  example,  0(tj,Pi)  is  a  matrix  of  size  |K(Pi)|  x  |<f>(tj)|,  in 
which  the  rows  represent  the  token  colours  and  the  columns  the  firing  modes.  Thus 
the  block  matrix  representing  the  change  to  the  number  of  coloured  tokens  in  Pi  when 
fires  is  defined  by 


C(Pi,tj)  =  0(tj,Pi)  -  I(Pj,ti). 

The  marking  of  the  CPN  can  be  represented  by  the  n  x  1  block  vector  where  M(Pi)  is  a 
I  K(Pi)  |  x  1  vector,  in  which  each  element  relates  to  the  number  of  the  given  coloured 
tokens  which  can  appear  in  place  Pi.  The  firing  sequence  of  a  CPN  can  be  represented 
by  an  m  x  1  block  vector,  in  which  each  element  is  a  |<I>(tj)|  x  1  vector,  which 
corresponds  to  the  number  of  times  a  given  firing  mode  of  transition  tj  fires,  in  the 
firing  sequence.  As  with  PN,  if  we  are  given  the  CPN  incidence  matrix,  initial 
marking  vector,  and  the  firing  vector,  the  resulting  marking  can  be  calculated  from, 

M  =  M0  +  CF 

Consider  the  CPN  in  Figure  6.  For  this  example 


C  = 

where 

Cl  =  C3  =  C5 


-Cl 

0 

0 

0  " 

0 

-C2 

0 

0 

Cl 

0 

-C3 

0 

0 

C2 

-C4 

-C5 

0 

0 

C3 

-C5 

0 

0 

0 

C5 

[1], 

C2  = 

1  0 

0  1 

1 

and  C4  = 

0 

and 
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M0  =  [Ml  M2  M3  M4  M5  M6]‘ 


where 


Ml  =  [1],  M2  = 


0 


M3  =  M5  =  M6  =  [0],  and  M4 


1 

0 


Given  that  firing  mode  1  of  transition  tl  fires,  firing  mode  3  of  transition  t2  fires  and 
firing  mode  4  of  transition  t3  fires,  the  firing  vector  is 


F  = 


FI 

F2 

F3 

F4 


where 


FI  =  F3  =  [1],  F2 


0 

1 


L  and  F4  =  [0]. 


So  the  resulting  marking  can  be  calculated  from 

M  =  M0  +  C  F 


which  gives  the  marking 


where 


M 


M'l  =  M'3  =  M'6  =  [0],  M2 


M'l 

M'2 

M'3 

M'4 

M'5 

M'6 


L 

J 

0 

0 

S 

II 

0 

1J 

and  M'5 


[li¬ 


lt  should  be  noted  that  the  extensions  presented  in  this  document  are  only  a  sample  of  the 
many  extensions  which  can  be  made  to  PN.  More  may  be  found  in  literature  on  PN,  such  as 
[6],  [12]  and  [44].  Most  PN  extensions  can  be  modelled  by  ordinary  PN.  For  example  CPN 
can  be  converted  into  PN,  as  shown  later  when  the  CPN  in  section  4,  which  is  converted  to  a 
PN  in  section  5.1. 
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3  A  COMMAND  AND  CONTROL  SYSTEM 


Consider  the  air  defence  of  a  significant  asset.  Such  an  asset  may  be  an  important  runway  or 
a  large  storage  facility.  To  protect  the  asset  from  air  attacks  the  position  is  equipped  with 
two  operator  guided  surface-to-air  missile  (SAM)  kits,  a  radar,  a  command  centre,  and 
communication  links  between  the  command  centre  and  each  SAM  operator. 

3.1  System  layout 

Consider  the  case  when  the  air  threat  comes  from  a  180°  arc,  stretching  from  north  to 
south  in  a  clockwise  direction  and  the  terrain  surrounding  the  asset  does  not  impede 
either  the  range  of  the  SAM  or  the  radar.  The  SAM  range  is  less  than  that  of  the 
radar,  so  the  full  detection  range  of  the  radar  cannot  be  covered.  The  SAM  sites  are 
positioned  to  give  maximum  coverage  of  the  area  to  protect.  These  positions  are 
shown  as  SAM  1  and  SAM  2  in  Figure  7.  The  SAM  range,  detection  line  and  line  of 
weapon  release  are  also  indicated.  All  enemy  aircraft  must  be  destroyed  before  they 
reach  the  line  of  weapon  release  or  they  will  destroy  the  asset.  The  area  surrounding 
the  asset  has  been  divided  into  three  sectors.  Each  sector  has  a  unique  set  of  SAM  sites 
which  can  effectively  fire  at  aircraft  detected  in  it.  Note  that  the  sectors  are  arranged 
so  that  they  coincide  with  the  intercept  between  the  line  of  weapon  release  and  the 
SAM  range.  Table  1  shows  which  of  the  different  SAM  sites  are  effective  in  each  of 
the  sectors. 


3.2  Sequence  of  events 

Each  time  an  aircraft  is  detected  by  the  radar  the  following  events  occur: 

(a)  The  command  centre  determines  which  SAM  site  it  will  be  assigned  to.  This  is 
accomplished  by  taking  into  account  the  sector  the  aircraft  is  in  and  the  current 
availability  of  SAM  sites.  SAM  sites  which  are  assigned  aircraft  are  considered 
unavailable.  If  none  of  the  available  SAM  sites  can  effectively  deal  with  the 
aircraft,  then  the  aircraft  is  placed  in  a  queue.  Such  an  aircraft  is  assigned  when 
an  appropriate  SAM  site  becomes  available. 

(b)  Once  the  command  centre  has  determined  which  SAM  sites  will  be  assigned 
aircraft,  the  aircraft  flight  path  is  passed  to  the  chosen  SAM  site.  This  is  done 
through  the  communication  link  between  each  SAM  site  and  the  command 
centre.  The  aircraft  now  becomes  the  sole  responsibility  of  the  SAM  operator. 

(c)  The  SAM  operator  locates  the  aircraft  and  aims  his  weapon  at  it. 

(d)  Once  the  aircraft  has  been  acquired  by  the  SAM  operator,  an  assessment  is 

carried  out  to  determine  if  it  is  friend  or  foe. 

(e)  If  the  SAM  operator  decides  that  the  aircraft  is  not  a  threat  to  the  asset,  then  it  is 

allowed  to  pass.  The  SAM  site  returns  to  its  ready  status,  and  the  command 

centre  is  informed  of  the  SAM  site's  availability. 

(f)  However,  if  the  aircraft  proves  to  be  a  threat,  the  SAM  operator  tracks  the 
aircraft  and  fires  at  it.  The  operator  then  guides  the  missile  to  the  aircraft 
destroying  it.  Once  the  enemy  aircraft  has  been  destroyed,  the  SAM  operator 
reloads  and  returns  to  the  ready  status.  He  then  communicates  his  availability. 

This  sequence  of  events  is  followed  for  each  detected  aircraft. 


16 


DSTO-TR-0462 


Figure  7:  Defensive  layout  for  air  defence  of  an  asset 


Table  1:  Sets  of  SAM  sites  which  are  effective  in  given  sectors. 


Sector  Number 

Effective  SAM  sites 

SI 

SAM  1 

S2 

SAM  1,  SAM  2 

S3 

SAM  2 

4  THE  CPN  MODEL 


This  section  will  outline  how  a  CPN  can  be  used  to  model  the  system  described  in  section  3. 
To  avoid  enlarging  the  model,  which  would  make  it  harder  to  understand  and  relate  to  other 
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C2  systems,  some  assumptions  will  be  made.  In  section  5  this  model  will  be  used  to  analyse 
time  delays  in  the  system  and  look  at  a  method  of  determining  cost  effective  changes  that 
can  be  made. 


4.1  Assumptions 

As  this  model  is  intended  only  as  a  means  of  demonstrating  the  use  of  CPN's  as  a 
modelling  tool  for  C2  systems,  a  number  of  assumptions  have  been  made  to  reduce  the 
size  of  the  model.  These  are: 

(a)  All  the  aircraft  stay  in  the  same  sector  once  the  radar  has  detected  them.  Thus 
the  aircraft  can  be  covered  by  the  same  SAM  site  throughout  its  flight,  removing 
the  need  to  transfer  the  aircraft  to  a  different  SAM  site  if  they  move  into  a  sector 
where  the  selected  SAM  site  is  ineffective. 

(b)  All  aircraft  are  detected  by  the  radar  when  they  reach  the  detection  range.  This 
means  the  SAM  operators  do  not  have  to  search  for  aircraft  that  may  have 
evaded  the  radar.  Thus  SAM  operators  only  search  for  aircraft  to  which  they 
have  been  assigned  by  the  command  centre. 

(c)  The  probability  of  a  kill,  once  a  SAM  site  fires,  is  1.  Therefore  if  an  aircraft  is 
fired  upon  before  passing  the  line  of  weapon  release,  it  will  be  destroyed  before 
it  can  deliver  its  ordinance  and  destroy  the  asset. 

(d)  All  the  aircraft  fly  at  approximately  the  same  altitude.  This  makes  the  SAM 
range  topographically  equivalent  for  each  aircraft,  fixing  the  effective  range  (see 
Figure  7)  for  each  aircraft. 

(e)  All  aircraft  designated  as  friendly  are  not  a  threat  to  the  asset  and  only  enemy 
aircraft  as  shot  down.  This  model's  purpose  is  to  study  the  time  delays 
involved  in  the  system,  and  is  not  concerned  with  friendly  fire  or  deception 
techniques. 

(f)  The  perceived  threat  of  the  aircraft  is  independent  of  the  sector  that  the  aircraft 
is  detected  in. 

Without  these  assumptions  considerably  more  detail  would  be  added  to  the  model, 
making  it  even  more  complicated,  and  harder  for  the  reader  to  relate  the  concepts 
demonstrated  to  other  C2  systems.  For  example,  assumption  5  can  be  removed  by 
dividing  the  sky  around  the  asset  into  more  sectors.  This  allows  for  aircraft  of 
different  altitudes  to  be  present  in  the  model,  as  these  will  correspond  to  different 
sectors.  As  before,  each  sector  would  contain  a  unique  set  of  effective  SAM  sites. 
There  would  be  more  sectors  that  needed  to  be  considered,  some  of  which  would  be 
height  dependent. 


4.2  Model  Description 

The  CPN  of  this  system  is  shown  in  Figure  8.  It  involves  11  places,  17  transitions,  and 
5  different  coloured  tokens.  The  five  tokens  are  SI,  S2,  S3,  Ml  and  M2.  SI,  S2,  and  S3 
correspond  to  an  aircraft  arriving  in  sector  1,  2,  or  3,  respectively.  Ml  and  M2 
represent  the  current  process  which  SAM  1  and  SAM  2,  respectively,  are  performing. 
To  explain  this  CPN,  a  brief  outline  of  what  each  transition  represents  in  the  problem 
system  and  how  they  effect  the  distribution  of  the  tokens  among  the  places,  is  given. 
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V 


V 


Figure  8:  A  coloured  Petri  net  model  of  the  air  defence  of  an  asset 


4.2.1  The  arrival  of  the  aircraft:  Transitions  tl-t3 

Transitions  tl-t3  correspond  to  the  detection  of  aircraft.  Each  transition 
corresponds  to  the  presence  of  an  aircraft  in  a  different  sector.  For  example  an 
S2  token  in  place  PI  corresponds  to  a  threatening  aircraft  in  section  S2. 
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4.2.2  Aircraft  assignment:  Transitions  t4-t5 

Transitions  t4-t5  relate  to  the  assigning  of  an  aircraft  to  a  selected  SAM  site,  and 
the  passing  of  the  flight  path  information.  Aircraft  can  only  be  assigned  to  a 
SAM  site  if  there  is  an  available  site  which  can  destroy  it  before  it  reaches  the 
line  of  weapon  release.  For  example,  if  an  SI  token  is  in  place  PI  then  the 
aircraft  can  only  be  assigned  to  SAM  1.  Hence  t4  will  only  fire  if  an  Ml  token  is 
also  present  in  place  PI.  The  firing  of  this  transition  removes  the  Ml  and  SI 
tokens  from  PI  to  and  places  an  Ml  token  in  place  P2. 


4.2.3  Location  and  investigation  of  aircraft:  Transitions  t6-t7 

Transitions  t6-t7  correspond  to  the  time  spent  by  the  SAM  site  operator  to  find 
the  aircraft  in  the  sky,  train  the  weapon  system  on  the  target,  investigate  it,  and 
decide  its  status. 


4.2.4  SAM  operator  assessment:  Transitions  t8-tll 

Transitions  t8-tll  are  immediate  transitions  relating  to  the  resulting  decision 
made  by  the  SAM  operator  about  the  incoming  aircraft.  The  firing  of  t8  or  til 
means  that  the  aircraft  is  a  threat  to  the  asset,  and  t9  or  tlO  relate  to  the  aircraft 
being  allowed  to  pass. 

4.2.5  Missile  fire:  Transitions  tl2  and  tl5 

Transitions  tl2  and  tl5  correspond  to  the  SAM  operator  firing  the  missile  and 
tracking  the  aircraft  to  guide  the  missile  onto  it. 

4.2.6  Return  to  ready  status:  Transitions  tl3-tl4  and  tl6-tl7 

Transitions  tl3-tl4  relate  to  the  SAM  site  allowing  the  aircraft  to  pass,  the  SAM 
site  being  returned  to  the  ready  status,  and  the  communication  of  its  readiness 
to  the  command  centre.  Transition  tl6-tl7  correspond  to  the  SAM  site  reloading, 
returning  to  the  ready  status,  and  communicating  the  site's  availability. 


Transitions  tl2  and  tl6,  and  tl5  and  tl7  have  been  separated,  as  the  analysis  being 
carried  out  is  concerned  with  the  time  taken  to  destroy  the  aircraft.  Therefore,  there 
needs  to  be  a  place  which  represents  the  state  in  which  the  aircraft  has  just  been 
destroyed.  For  SAM  1  this  state  is  represented  in  the  model  by  a  token  in  place  P10, 
and  for  SAM  2,  a  token  in  place  Pll.  So,  although  the  actions  which  relate  to  tl2  and 
tl6  (tl5  and  tl7)  may  logically  be  grouped  together,  for  analysis  reasons  they  must  be 
separated. 

The  immediate  transitions  t8-tll  are  used  as  generators  of  information.  The  weights 
placed  on  these  transitions  relate  to  the  probability  of  the  aircraft  being  a  friend  or  a 
foe.  The  timed  transitions  correspond  to  the  time  it  takes  for  an  event  to  occur  or  a 
task  to  be  performed. 


5  MODEL  ANALYSIS 


The  CPN  model  described  in  section  4  will  now  be  analysed  to  study  the  efficiency  of  the  air 
defence  system  it  represents.  There  are  a  number  of  packages  such  as  Great  SPN,  [7],  and 
SPNP,  [8],  available,  which  do  PN  analysis.  These  packages  concentrate  on  equilibrium 
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probabilities.  They  also  work  on  the  general  principle  of  converting  the  PN  into  a  finite 
CTMC,  and  analysing  this  chain.  For  the  CPN  described  above,  this  is  not  possible,  as  place 
PI  is  unbounded  and  thus  converts  to  a  Markov  chain  with  an  infinite  number  states.  This 
can  be  prevented  by  using  inhibitor  arcs  with  a  given  multiplicity  from  PI  to  tl,  t2,  and  t3,  or 
by  initially  starting  with  only  k  tokens  in  a  newly  defined  input  place  to  transitions  tl,  t2, 
and  t3.  If  these  restrictions  are  made  then  the  above  packages  could  be  used  to  obtain  long 
term  equilibrium  information.  Unfortunately  for  the  analysis  being  carried  out  in  this 
document  only  transient  properties  are  of  interest.  These  properties  are  unattainable  from 
packages  like  SPNP  and  Great  SPN.  For  this  reason  the  CPN  model  was  simulated. 

There  are  two  possible  approaches  which  can  be  taken  in  simulating  a  CPN,  either  direct 
simulation  of  the  CPN,  or  conversion  of  the  CPN  into  a  PN  and  simulation  of  the  PN.  The 
PN  model  of  this  C2  system  is  shown  in  Figure  9.  This  removes  the  need  to  have  block 
matrices  as  described  in  section  2.9.  The  simulation  is  used  to  determine  which  of  five 
possible  improvements  to  the  system  is  most  cost  effective. 

5.1  The  CPN  to  PN  conversion 

In  converting  the  CPN  given  in  section  4  to  a  PN  a  process  of  unfolding  is  carried  out. 

The  representation  of  PI,  t4,  and  t5  in  Figure  8  were  changed  as  follows: 

(1)  Place  PI  is  now  represented  by  five  places:  Pla,  Plb,  Pic,  Pld,  and  Pie.  A  token 
in  place  Pla,  Plb,  or  Pic  corresponds  to  an  aircraft  in  sector  SI,  S2,  or  S3, 
respectively.  For  example,  a  token  in  Pla  means  there  is  an  aircraft  in  sector  SI, 
and  this  corresponds  to  a  SI  token  in  place  PI  of  the  CPN.  A  token  in  place 
Pld  or  Pie  of  the  PN  corresponds  to  the  availability  of  SAM  sites  one  and  two 
respectively.  Thus  a  token  in  Pld  or  Pie  is  the  same  as  the  presence  of  an  Ml 
or  M2  token,  respectively,  in  PI  of  the  CPN  in  Figure  8. 

(2)  Transition  t4  of  the  CPN  is  represented  in  the  PN  by  two  transitions:  t4a  and 
t4b.  Each  of  these  transitions  correspond  to  one  of  t4's  firing  modes.  t4a  relates 
to  an  aircraft  in  sector  one  being  assigned  to  SAM  1,  and  t4b  a  sector  two 
aircraft. 

(3)  As  with  transition  t4,  t5  of  the  CPN  is  represented  by  two  transitions  in  the  PN: 
t5a  and  t5b.  Once  again,  these  relate  to  the  two  firing  modes  of  t5.  t5a  to  an 
aircraft  in  sector  two  being  assigned  to  SAM  2,  and  t5b  an  aircraft  in  sector 
three. 

The  PN  shown  in  Figure  9  can  be  represented  by  a  6-tuple  as  set  out  in  section  2.1.  It 

is  this  representation  which  is  used  in  simulating  the  PN. 


5.2  The  simulation 

An  event-stepping  simulation  of  the  PN  in  Figure  9  was  written  in  Turbo  Pascal.  The 
Erlang-5  probability  distribution  was  used  to  determine  the  time  to  fire  of  the  timed 
transitions.  This  distribution  was  chosen  as  it  has  a  coefficient  of  variation 
considerably  less  than  one  and  so  it  seems  to  model  well  the  duration  of  these 
activities.  The  immediate  transitions  fire  in  accordance  with  the  firing  rules  expressed 
in  section  2.5. 
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The  sequence  of  events  which  the  program  follows  is: 

(1)  The  program  checks  which  transitions  are  enabled.  As  the  marking  of  the  PN  is 
represented  in  a  vector,  and  the  input  arcs  in  a  matrix,  the  program  simply 
compares  the  current  marking  with  the  number  of  tokens  required  in  each  place, 
to  enable  the  transition  currently  being  tested.  At  the  beginning  of  the 
simulation  there  is  one  token  in  place  Pld  and  one  in  place  Pie,  so  only  tl,  t2, 
and  t3  are  enabled. 

(2)  The  program  finds  which  transition  is  scheduled  to  fire  next.  Initially  the  newly 
enabled  transitions  are  placed  in  the  event  schedule.  Then  the  transitions  which 
were  disabled  by  the  last  transition  fired  are  removed  from  the  event  schedule. 
Finally,  the  transition  which  will  fire  next  is  determined  using  the  firing  rules 
outlined  in  section  2.5. 

(3)  The  final  process  is  the  firing  of  the  transition.  This  updates  the  marking 
according  to  the  input  and  output  arc  matrices.  This  process  also  controls  the 
aircraft.  The  aircraft  are  placed  in  a  link  list  as  they  arrive  and  their  time  of 
arrival  is  recorded.  As  transitions  fire,  the  aircraft's  position  in  the  PN  is 
updated,  so  that  if  it  is  destroyed,  the  time  till  its  destruction  can  be  calculated. 

The  processes  above  are  repeated,  until  the  time  taken  to  destroy  an  enemy  aircraft  is 
greater  than  the  maximum  allowed  time;  that  is  the  asset  has  been  destroyed.  The 
total  simulation  run  time  and  the  number  of  aircraft  destroyed  is  then  recorded  for 
analysis. 


5.3  Trial  system  improvements 

In  analysing  the  model  six  different  configurations  of  the  C2  systems  were  considered. 
Initially  data  was  gathered  on  the  C2  system  as  it  is  described  above.  Then  five 
improvements  to  this  initial  system  were  considered  to  determine  which  would  result 
in  the  greatest  system  efficiency.  The  changes  where: 

(i)  In  Trial  1  an  artificial  decision  maker  is  placed  in  the  command  centre.  It 
decides  which  SAM  site  deals  with  the  incoming  threat.  This  decision  is  almost 
instantaneous  and  the  only  time  now  involved  in  transitions  t4  and  t5  is  the 
communication  of  the  aircraft  flight  information  to  the  selected  SAM  site. 

(ii)  Trial  2  corresponds  to  the  SAM  operators  being  given  a  better  method  of 
locating  the  detected  aircraft,  such  as  improved  aircraft  flight  information.  This 
means  that  the  time  taken  by  the  operator  to  find  the  aircraft  is  reduced,  thus 
reducing  the  average  firing  time  of  transitions  t6  and  t7. 

(iii)  Trial  3  relates  to  the  use  of  a  missile  that  is  about  twice  as  fast  as  the  original 
one,  reducing  the  post-firing  guiding  time,  that  is,  changing  the  parameters  of 
tl2  and  tl5. 

(iv)  In  Trial  4  fire  and  forget  missiles  are  used,  once  again  reducing  the  mean  firing 
time  of  tl2  and  tl5. 

(v)  Trial  5  relates  to  the  use  of  a  multi-missile  launcher.  This  does  not  mean  a  SAM 
site  can  engage  more  than  one  aircraft  but  does  remove  the  need  for  a  SAM  site 
to  reload  before  being  assigned  a  new  aircraft.  This  reduces  the  average  firing 
times  of  transitions  tl6  and  tl7. 

The  model  presented  in  section  5.1  was  analysed  to  determine  the  effect  of  each  of 
these  changes  to  the  C2  system.  The  transition  rates  are  given  in  Table  2.  Only  the 
changes  made  to  the  initial  firing  rates  are  shown  in  the  case  of  the  five  different  trials. 
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The  critical  quantity  was  how  long  it  took  a  token  to  travel  from  place  Pla,  Plb,  or  Pic 
to  either  place  P10  or  Pll.  That  is,  the  time  take  for  a  detected  enemy  aircraft  to  be 
destroyed.  If  this  value  was  greater  than  100s,  the  asset  was  considered  destroyed. 
The  number  of  aircraft  destroyed  and  current  run  time  when  the  asset  was  destroyed 
were  then  stored  and  the  simulation  run  again.  This  process  was  continued  for  the  six 
different  configurations  given  above.  Each  trial  affects  the  firing  times  of  the 
transitions'  firing  modes.  It  should  be  noted  that  the  times  taken  for  the  described 
events  to  occur  are  arbitrary  and  in  no  way  relate  to  any  particular  existing  system. 
They  are  used  for  illustration  only. 

The  results  of  the  five  upgrades  presented  and  the  initial  scenario,  are  given  in  the 
next  section. 


5.4  Model  Results 

The  results  for  each  of  the  trials  and  the  initial  run  are  shown  in  Table  3.  It  should  be 
noted  that  each  of  the  sets  of  data  involves  1000  rims.  A  run  always  starts  with  the 
same  initial  marking  and  an  empty  event  queue,  and  ends  when  the  asset  is  destroyed. 
Included  in  Table  3  is  a  90%  confidence  interval  of  the  mean,  calculated  from  the 
standard  normal  distribution. 


5.5  Model  Conclusion 

Table  3  clearly  shows  the  effect  on  the  system  efficiency  for  each  of  the  proposed 
changes.  Consider  now,  which  of  the  changes  suggested  gives  the  best  result  for  the 
investment  made  in  implementing  the  change.  Table  3  shows  that  all  of  the  changes 
suggested  above  benefit  the  air  defence  system  described.  So  the  question  is,  which  of 
the  changes  is  most  cost  effective.  First  a  ranking  of  the  changes  in  order  of  most 
advantageous  to  least  favourable  must  be  established.  Putting  aside  the  question  of 
confidence  intervals,  this  order  is: 

•  Fire  and  forget  missiles.  Trial  4. 

•  Artificial  decision  maker  in  the  command  centre.  Trial  1. 

•  Better  location  method.  Trial  2. 

•  Faster  missiles.  Trial  3. 

•  Multi-missile  launcher.  Trial  5. 

A  possible  ranking  of  implementation  costs,  in  order  of  increasing  cost  is: 

•  Better  location  method.  Trial  2. 

•  Artificial  decision  maker  in  the  command  centre.  Trial  1. 

•  Multi-missile  launcher.  Trial  5. 

•  Faster  missiles.  Trial  3. 

•  Fire  and  forget  missiles.  Trial  4. 

Carrying  out  a  t-test  with  90%  confidence.  Trial  1  and  Trial  4  give  the  greatest 
improvement.  Combining  this  information  with  the  above  cost  ranking  would  indicate 
that  the  most  cost  effective  change  is  to  introduce  the  use  of  an  artificial  decision 
maker  in  the  command  centre.  Trial  1. 
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Table  3:  Simulation  results 


TRIAL 


TIME 

COUNT 

Mean 

Confidence 
Interval  for 
the  Mean 

Standard 

Deviation 

Mean 

Confidence 
Interval  for 
the  Mean 

1761 

(1682,1840) 

1518 

17.21 

(16.42,18.01) 

2961 

(2815,3107) 

2815 

29.82 

(28.34,31.30) 

2701 

(2574,2828) 

2442 

(26.02,28.66) 

2430 

(2311,2549) 

2282 

24.24 

(22.03,25.49) 

3124 

(2978,3270) 

2813 

31.59 

(30.08,33.10) 

2392 

(2281,2503) 

2143 

24.10 

(22.95,25.25) 
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6  CONCLUSIONS 

This  document  has  introduced  a  CPN  notation  that  can  be  used  to  model  C2  systems.  The 
advantages  of  using  CPN  in  the  modelling  of  C2  systems  has  been  shown  though  the  use  of 
an  example.  This  example  shows  how  the  CPN  of  a  C2  system  can  be  analysed  using 
computer  simulation.  It  also  illustrates  how  easily  a  CPN  model  can  be  changed  to  test 
variations  to  the  system.  It  should  be  noted  that  PN  were  designed  to  model  discrete  event 
systems  with  concurrence  and  resource  sharing  and  so  are  ideal  for  the  modelling  of  C2 
system.  The  extension  of  PN  to  allow  coloured  tokens  has  meant  that  more  complex  systems 
can  be  modelled  without  the  graphical  representation  becoming  unmanageable.  It  is  the 
author's  opinion  that  PN  are  the  ideal  tool  for  modelling  C2  systems. 

One  of  the  main  draw  backs  of  using  PN  is  the  fact  that  there  is  not  much  work  being 
carried  out  in  the  area  of  transient  analysis.  Since  in  many  cases  C2  systems  do  not  reach  an 
equilibrium  state  there  is  no  way  of  directly  analysing  a  C2  PN  model  to  get  the  information 
required.  This  means  that  simulations  must  be  constructed  to  generate  the  results  needed.  It 
also  means  that  there  does  not  exist  packages  that  can  be  used  to  analysis  the  transient 
nature  of  PN  models.  This  is  one  of  the  areas  that  research  is  currently  being  pursued  by 
Systems  Simulation  and  Assessment  Group  of  Information  Technology  Division  and  it  is 
hoped  that  this  research  can  be  combined  to  produce  a  package  capable  of  transient  analysis 
not  only  by  use  of  simulation  but  also  through  direct  methods. 

Another  area  in  which  PN  are  being  applied  by  Systems  Simulation  and  Assessment  Group 
is  in  the  modelling  of  decision  processes  in  C2  systems.  In  this  case  PN  models  will  be  used 
to  supplement  real  decision  makers,  both  groups  and  individuals,  in  a  large  distributed 
interactive  C2  simulation. 
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